Election1

Target IP: 192.168.194.211


Scanning

2f43f67cc0a482336a263fc239a1a05a.png
There are two TCP ports open on the target machine: SSH and HTTP.


Enumeration

Port 80: HTTP
781fb648ec3ac15ca6dd9cf9c2bdc64f.png
The target host is using Apache, so the default page is displayed when I visit this application from a web browser. Doing a directory search leads to interesting directories as shown above.

1f85416f4d4211f56b2581dc35408442.png
The robots.txt contains the entries above. Only the /election is a valid directory.

57850552224c5beb8231d38399b1c2bb.png
The /election is an interesting webpage. It is some sort of application that users can use to vote for candidates. After navigating around the website for some time, I did not find anything useful. Viewing the source-code of the application did not result in anything useful.

dd4409fc214cb4aacbf69aa2a24b8fa7.png
After performing a scan against directory, I obtained interesting results.

af1a8c68859c6ffbb3cf08ba084c7705.png
The /card.php is an interesting page. It contains binary data as shown above.
6b797d4e307739521ca1f57713dec125.png
After converting the long binary data to ASCII, I got another long binary data. Then converting this to ASCII, I obtained the result above. I now have the credentials: 1234:Zxc123!@#. Maybe I can spray this against SSH or another login page for this application.

a29ba1adb8e1c430083598e7a9102d1c.png
b3f83210e33cda747cf61d58784a7c58.png
The /admin page contains a login page. Spraying the credentials 1234:Zxc123!@#, I gained access to the admin page.

308bc744f6e3f6bf9cd5d021aba58602.png
After enumerating the web application for some time, I found an interesting section that contains more information about the web application. This section also contains a log file under the Logging then View Logs section. This log file contains the content above, the credential love:P@$$w0rd@123. Maybe is a valid login for SSH?


Exploitation

2c31bc4d6cb1c3c1fcacc520bd53242f.png
Spraying the credentials I obtained from the log file worked! I now have a foothold on the machine as love.


Privilege Escalation

6286a7a76558ab590c3cf9fc87a55c3c.png
91c33dab4da7263508d5ac3dd1a4aa47.png
I found an interesting binary called /usr/local/Serv-U/Serv-U. Doing a Google search returned the webpage above. I downloaded this exploit on my machine and transferred it to the target machine. After running the exploit, I gained a root shell.

3874b2152f2411816b30f1624161d6e2.png


Flags

b562929b492c88381f11308bfb7c201d.png
The local.txt flag once I gained a foothold on the machine as the user love.

ec6778e5d89b35090061ddf814a3503e.png
The root.txt flag once I used local privilege escalation exploit against Serv-U.